Acyclic Strategy for Silent Self-Stabilization in Spanning Forests

HAL Id: hal-01784570

https://hal.science/hal-01784570

Submitted on 3 May 2018

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Acyclic Strategy for Silent Self-Stabilization in Spanning Forests

Karine Altisen, Stéphane Devismes, Anaïs Durand

To cite this version:

Karine Altisen, Stéphane Devismes, Anaïs Durand. Acyclic Strategy for Silent Self-Stabilization in Spanning Forests. [Research Report] VERIMAG UMR 5104, Université Grenoble Alpes, France. 2018.

�hal-01784570�

Acyclic Strategy for Silent Self-Stabilization in Spanning Forests

Karine Altisen

, St´ ephane Devismes

, and Ana¨ıs Durand

1 Univ. Grenoble Alpes, CNRS, Grenoble INP, VERIMAG, 38000 Grenoble, France 2 IRISA, INRIA Rennes

Abstract

In this paper, we study a general class of algorithms designed for networks endowed with a sense of direction describing a spanning forest (e.g., a directed tree or a network where a directed spanning tree is available) whose characterization is a simple (i.e., quasi-syntactic) condition. We show that any algorithm of this class is (1) silent and self-stabilizing under the distributed unfair daemon, and (2) has a stabilization time which is polynomial in moves and asymptotically optimal in rounds. To illustrate the versatility of our method, we review several existing works where our results apply.

Keywords: Self-stabilization, silence, tree networks, bottom-up actions, and top- down actions.

1 Introduction

Self-stabilization [1] is a versatile technique to withstand any finite number of transient faults in a distributed system: regardless of the arbitrary initial configuration of the system (and therefore also after the occurrence of transient faults), a self-stabilizing (distributed) algorithm is able to recover in finite time a so-calledlegitimate configuration from which its behavior conforms to its specification.

After the seminal work of Dijkstra, many self-stabilizing algorithms have been proposed to solve various tasks such as spanning tree constructions [2], token circulations [3], clock synchronization [4], propagation of information with feedbacks [5]. Those works consider a large taxonomy of topologies: ring [6, 7], (directed) trees [5, 8, 9], planar graphs [10, 11], arbitrary connected graphs [12, 13], etc. Among those topologies, the class of directed (in-) trees (i.e., trees where one process is distinguished as the root and edges are oriented toward the root) is of particular interest. Indeed, such topologies often appears, at an intermediate level, in self-stabilizing composite algorithms. Composition is a popular way to design self- stabilizing algorithms [14] since it allows to simplify both the design and proofs. Numerous self-stabilizing algorithms, e.g., [15, 2, 16], are actually made as a composition of a spanning

directed treelike (e.g. tree or forest) construction and some other algorithms specifically de- signed for directed tree/forest topologies. Notice that, even though not mandatory, most of these constructions achieve an additional property calledsilence[17]: a silent self-stabilizing algorithm converges within finite time to a configuration from which the values of the com- munication registers used by the algorithm remain fixed. Silence is a desirable property.

Indeed, as noted in [17], the silent property usually implies more simplicity in the algorithm design, and so allows to write simpler proofs; moreover, a silent algorithm may utilize less communication operations and communication bandwidth.

In this paper, we consider the locally shared memory model with composite atomicity introduced by Dijkstra [1], which is the most commonly used model in self-stabilization.

In this model, executions proceed in (atomic) steps and the asynchrony of the system is captured by the notion of daemon. The weakest (i.e., the most general) daemon is the distributed unfair daemon. Hence, solutions stabilizing under such an assumption are highly desirable, because they work under any other daemon assumption.

The daemon assumption and time complexity are closely related. Thestabilization time, i.e., the maximum time to reach a legitimate configuration starting from an arbitrary one, is the main time complexity measure to compare self-stabilizing algorithms. It is usually evaluated in terms of rounds, which capture the execution time according to the speed of the slowest process. But, another crucial issue is the number of local state updates, called moves. Indeed, the stabilization time in moves captures the amount of computations an algorithm needs to recover a correct behavior. Now, this latter complexity can be bounded only if the algorithm works under an unfair daemon. Actually, if an algorithm requires a stronger daemon to stabilize, e.g., a weakly fair daemon, then it is possible to construct executions whose convergence is arbitrary long in terms of (atomic) steps, meaning that, in such executions, there are processes whose moves do not make the system progress in the convergence. In other words, these latter processes waste computation power and so energy.

Such a situation should be therefore prevented, making the unfair daemon more desirable than the weakly fair one.

There are many self-stabilizing algorithms proven under the distributed unfair daemon, e.g., [13, 18, 19, 20, 21]. However, analyses of the stabilization time in moves is rather unusual and this may be an important issue. Indeed, recently, several self-stabilizing algorithms which work under a distributed unfair daemon have been shown to have an exponential stabilization time in moves in the worst case, e.g., the silent leader election algorithms from [19, 20] (as shown in [13]), the Breadth-First Search (BFS) algorithm of Huang and Chen [22] (as shown in [23]), or the silent self-stabilizing algorithm for the shortest-path spanning tree of [21] (as shown in [24]).

Contribution. In this paper, we study a general class of algorithms designed for networks endowed with a sense of direction describing a spanning forest (e.g., a directed tree, or a network where a directed spanning tree is available) whose characterization is a simple (i.e., quasi-syntactic) condition. We show that any algorithm of this class is (1) silent and self- stabilizing under the distributed unfair daemon, and (2) has a stabilization time which is polynomial in moves and asymptotically optimal in rounds.

Our condition, referred to as acyclic strategy, is based on the notions of top-down and

bottom-up actions. Until now, these types of actions was used rather informally in the context of self-stabilizing algorithms dedicated to directed trees. Our first goal has been to formally define these two paradigms. We have then compiled this formalization together with a notion of acyclic causality between actions and a last criteria called correct-alone (n.b., only this latter criteria is not syntactic) to obtain the notion of acyclic strategy. We show that any algorithm that follows an acyclic strategy reaches a terminal configuration in a polynomial number of moves, assuming a distributed unfair daemon. Hence, if its terminal configurations conform to the specification, then the algorithm is both silent and self-stabilizing. Unfortunately, we show that our condition is not sufficient to guarantee a stabilization time that is asymptotically optimal in rounds,i.e.,O(H) rounds whereH is the height of the spanning forest. However, we propose to enforce our condition with an extra property, calledlocal mutual exclusivity, which is sufficient to obtain the asymptotic optimal bound in rounds. Finally, we propose a generic method to add this latter property to any algorithm that follows an acyclic strategy but is not locally mutually exclusive, allowing then to obtain a complexity in O(H) rounds. Our method has no overhead in terms of moves.

Finally, to illustrate the versatility of our method, we review several existing works where our results apply.

Related Work. General schemes and efficiency are usually understood as orthogonal is- sues. For example, general schemes have been proposed [25, 26] to transform almost any algorithm (specifically, those algorithms that can be self-stabilized) for arbitrary connected and identified networks into their corresponding stabilizing version. Such universal trans- formers are, by essence, inefficient both in terms of space and time complexities: their purpose is only to demonstrate the feasibility of the transformation. In [25], authors con- sider asynchronous message-passing systems, while the synchronous locally shared memory model is assumed in [26].

However, few works, like [27, 28, 29], target both general self-stabilizing algorithm pat- terns and efficiency in rounds.

In [27, 28], authors propose a method to design silent self-stabilizing algorithms for a class of fix-point problems (namely fix-point problems which can be expressed using r- operators). Their solution works in non-bidirectional networks using bounded memory per process. In [27], they consider the locally shared memory model with composite atomicity assuming a distributed unfair daemon, while in [28], they bring their approach to asyn- chronous message-passing systems. In both papers, they establish a stabilization time in O(D) rounds, where D is the network diameter, that holds for the synchronous case only, moreover move complexity is not considered.

The remainder of the related work only concerns the locally shared memory model with composite atomicity assuming a distributed unfair daemon.

In [29], authors use the concept of labeling scheme introduced by Korman et al [30]

to design silent self-stabilizing algorithms with bounded memory per process. Using their approach, they show that, every static task has a silent self-stabilizing algorithm which converges within a linear number of rounds in an arbitrary identified network, however no move complexity is given.

To our knowledge, until now, only two works [31, 32] conciliate general schemes for sta-

bilization and efficiency in both moves and rounds. In [31], Cournier et alpropose a general scheme for snap-stabilizing wave, henceforth non-silent, algorithms in arbitrary connected and rooted networks. Using their approach, one can obtain snap-stabilizing algorithms that execute each wave in polynomial number of rounds and moves. In [32], authors propose a general scheme to compute, in a linear number of rounds, spanning directed treelike data structures on arbitrary networks. They also exhibit polynomial upper bounds on its stabi- lization time in moves holding for large classes of instantiations of their scheme. Hence, our approach is complementary to [32].

Roadmap. The remainder of the paper is organized as follows. In the next section, we present the computational model and basic definitions. In Section 3, we define the notion of acyclic strategy based on the notions of top-down and bottom-up actions. In Section 4, we exhibit a polynomial upper bound on the move complexity of algorithms that follow an acyclic strategy. In Section 5, we propose a simple case study. This example shows that our upper bound is tight, but in contrast, the acyclic strategy is not restrictive enough as it allows degenerated solutions where the stabilization time in rounds is in Ω(n) wheren is the number of processes in the network. In Section 6, we show that any algorithm that follows an acyclic strategy and whose actions are locally mutually exclusive stabilizes inO(H) rounds, where H is the height of the spanning forest; we also show how to add this latter property without increasing the move complexity. In Section 7, we review several existing works where our method allows to trivially deduce both correctness and stabilization time (both in terms of moves and rounds). Section 8 is dedicated to concluding remarks.

2 Preliminaries

We consider the locally shared memory model with composite atomicity [1] where processes communicate using locally shared variables.

2.1 Network

A network is made of a set of n interconnected processes. Communications are assumed to be bidirectional. Hence, we model the topology of the network by a simple undirected graph G = (V, E), where V is a set of processes and E is a set of edges that represents communication links, i.e.,{p, q} ∈E means thatpand qcan directly exchange information.

In this latter case, p and q are said to be neighbors. For a process p∈V, we denote by p.Γ the set of its neighbors: p.Γ = {q ∈ V : {p, q} ∈ E}. We also note ∆ the degree of G, namely ∆ = max{|p.Γ| : p∈V}.

2.2 Algorithm

Adistributed algorithmA is a collection ofn=|V|local algorithms, each one operating on a single process: A ={A(p) : p∈V}where each processpis equipped with a local algorithm A(p) = (V ar_p, Actions_p):

• V arp is the finite set of variables of p,

• Actions_p is a finite set of actions (guarded commands).

Notice that A may not be uniform in the sense that some local algorithm A(p) may be different from some other(s). We identify each variable involved in Algorithm A by the notation p.x∈ V ar_p, where x is the name of the variable and p∈V the process that holds it. Each processpruns its local algorithmA(p) by atomically executing actions. If executed, an action of p consists of reading all variables of pand its neighbors, and then writing into a part of thewritable (i.e., non-constant) variables of p. Of course, in this case, the written values depend on the last values read by p. For a process p∈V, each action in Actionsp is written as follows

L(p) :: G(p) 7−→ S(p)

L(p) is a label used to identify the action in the discussion. The guard G(p) is a Boolean predicate involving variables of p and its neighbors. The statement S(p) is a sequence of assignments on writable variables of p. A variable q.x is said to be G-read by L(p) if q.x is involved in predicate G(p) (in this case, q is either p or one of its neighbors). Let G-Read(L(p)) be the set of variables that are G-read by L(p). A variable p.x is said to be written by L(p) if p.x appears as a left operand in an assignment of S(p). Let Write(L(p)) be the set of variables written by L(p).

An action can be executed by a process ponly if it is enabled, i.e., its guard evaluates to true. By extension, a process is said to beenabledwhen at least one of its actions is enabled.

2.3 Semantics

Thestate of a processp∈V is a vector of valuations of its variables and belongs to C(p), the Cartesian product of the sets of all possible valuations for each variables ofp. Aconfiguration of an algorithm A is a vector made of a state of each process in V. We denote by C = Πp∈VC(p) the set of all possible configuration (ofA). For any configurationγ ∈ C, we denote by γ(p) (resp. γ(p).x) the state of process p ∈V (resp. the value of the variable x ∈ V ar_p of process p) in configurationγ.

The asynchronism of the system is modeled by an adversary, called thedaemon. Assume that the current configuration of the system is γ. If the set of enabled processes in γ is empty, then γ is said to be terminal. Otherwise, a step of A is performed as follows: the daemon selects a non-empty subset S of enabled processes in γ, and every process p in S atomically executes one of its action enabled inγ, leading the system to a new configuration γ⁰. The step (of A) from γ to γ⁰ is noted γ 7→ γ⁰: 7→ is the binary relation over C defining all possible steps of A in G. Precisely, in γ 7→ γ⁰, for every selected process p, γ⁰(p) is set according to the statement of the action executed by pbased on the values it G-reads on γ, whereasγ⁰(q) =γ(q) for every non-selected processq.

An execution of A is a maximal sequence γ0γ1...γi... of configurations of C such that γi−1 7→γ_i for alli > 0. The term “maximal” means that the execution is either infinite, or ends at a terminal configuration.

Recall that executions are driven by a daemon. We define a daemonDas a predicate over executions. An execution eis then said to be an execution under the daemon D if esatisfies D. In this paper, we assume that the daemon isdistributedandunfair. “Distributed” means that, unless the configuration is terminal, the daemon selects at least one enabled process

(maybe more) at each step. “Unfair” means that there is no fairness constraint, i.e., the daemon might never select a process unless it is the only enabled one.

2.4 Time Complexity

We measure the time complexity of an algorithm using two notions: rounds[33] andmoves[1].

The complexity in roundevaluates the execution time according to the speed of the slowest processes. The definition of round uses the concept of neutralization: a process v is neutral- ized during a step γ_i 7→γ_i+1, if v is enabled in γ_i but not in configurationγ_i+1, and it is not activated in the step γ_i 7→ γ_i+1. Then, the rounds are inductively defined as follows. The first round of an execution e=γ0, γ1, ...is its minimal prefix e⁰ such that every process that is enabled in γ₀ either executes a action or is neutralized during a step of e⁰. If e⁰ is finite, then the second round of e is the first round of the suffix γ_t, γ_t+1, ... of e starting from the last configuration γt of e⁰, and so forth. The complexity in moves captures the amount of computations an algorithm needs. Indeed, we say that a process moves in γ_i 7→ γ_i+1 when it executes an action in γ_i 7→γ_i+1.

2.5 Silent Self-Stabilization and Stabilization Time

Definition 1 (Silent Self-Stabilization [34]). Let A be a distributed algorithm for a network G, SP a predicate over the configurations of A, andDa daemon. Aissilent and self-stabili- zing for SP in G underD if the following two conditions hold:

• Every execution of A under D is finite, and

• every terminal configuration of A satisfies SP.

In this case, every terminal (resp. non-terminal) configuration is said to be legitimate w.r.t.

SP, (resp. illegitimate w.r.t. SP).

The stabilization time in rounds (resp. moves) of a silent self-stabilizing algorithm is the maximum number of rounds (resp. moves) over every execution possible under the considered daemon (starting from any initial configuration) to reach a terminal (legitimate) configuration.

3 Algorithm with Acyclic Strategy

In this section, we define a class of algorithm, the distributed algorithms thatfollow an cyclic strategy, for which we will study the correctness and time complexity. LetA be a distributed algorithm running on some network G= (V, E).

3.1 Variable Names

We assume that every process is endowed with the same set of variables and we denote by N ames the set of names of those variables, namely: N ames ={x : p∈ V ∧p.x∈ V ar_p}.

We also assume that for every name x ∈ N ames, for all processes p and q, variables p.x

and q.x have the same definition domain. The set of names is partitioned into two subsets:

ConstN ames, the set of constant names, andV arN ames=N ames\ConstN ames, the set of writable variable names. A name x is in V arN ames as soon as there exists a process p such that p.x∈V ar_p and p.xis written by an action of its local algorithm A(p). For every c∈ ConstN ames and every process p∈ V, p.c is never written by any action and it has a pre-defined constant value (which may differ from one process to another, e.g., Γ, the name of the neighborhood).

We assume that A is well-formed, i.e., V arN ames can be partitioned into k sets V ar₁, ..., V ar_k such that ∀p ∈ V, A(p) consists of exactly k actions A₁(p), ..., A_k(p) such that Write(Ai(p)) = {p.v : v ∈ V ari}, for all i∈ {1, ..., k}. Let Ai ={Ai(p) : p∈ V}, for all i∈ {1, ..., k}. EveryA_i is called a family (of actions). By definition,A₁, ..., A_k is a partition over all actions of A, henceforth called afamilies’ partition.

Remark 1. Since A is assumed to bewell-formed, there is exactly one action ofA(p) where p.v is written, for every process p and every writable variable p.v (of p).

3.2 Spanning Forest

In this work, we assume that every process is endowed with constant variables that define a spanning forest over the graphG. Precisely, we assume the constant namesparent, children∈ ConstN ames such that for every process p∈ V, p.parent and p.children are preset as fol- lows:

• p.parent ∈ p.Γ∪ {⊥}: p.parent is either a neighbor of p (its parent in the forest), or

⊥. In this latter case, pis called a (tree) root.

Hence, the graph made of verticesV and edges{(p, p.parent) : p∈V ∧p.parent6=⊥}

is assumed to be a spanning forest of G.

• p.children⊆p.Γ: p.children contains the neighbors ofpwhich are the children ofpin the forest,i.e., for every p, q ∈V,p.parent=q ⇐⇒ p∈q.children.

Notice that the latter constraint implies that the graph made of vertices V and edges {(q, p) : p∈V ∧q∈p.children} is also a spanning forest of G.

Ifp.children =∅, then p is called a leaf.

Note that p.Γ \ ({p.parent} ∪p.children) may not be empty. The set of p’s ancestors, Ancestors(p), can be recursively defined as follows:

• Ancestors(p) ={p} ifp is a root,

• Ancestors(p) ={p} ∪Ancestors(p.parent)otherwise.

Similarly, the set of p’sdescendents, Descendents(p), can be recursively defined as follows:

• Descendents(p) ={p} ifp is a leaf,

• Descendents(p) ={p} ∪S

q∈p.childrenDescendents(q) otherwise.

3.3 Acyclic Strategy

Let A₁, ..., A_k be the families’ partition of A. A_i, with i ∈ {1, ..., k}, is said to be correct- alone if for every process p and every step γ 7→ γ⁰ such that A_i(p) is executed in γ 7→ γ⁰, if no variable in G-Read(A_i(p))\Write(A_i(p)) is modified in γ 7→ γ⁰, then A_i(p) is disabled in γ⁰. Notice that if a variable in Write(A_i(p)) is modified in γ 7→ γ⁰, then it is necessarily modified by A_i(p), by Remark 1.

Let≺Abe a binary relation over the families of actions of Asuch that fori, j ∈ {1, ..., k}, A_j ≺A A_i if and only if i6=j and there exist two processes pand q such that q∈ p.Γ∪ {p}

and Write(A_j(p)) ∩ G-Read(A_i(q)) 6= ∅. We conveniently represent the relation ≺_A by a directed graph GC called Graph of actions’ Causality and defined as follows: GC = ({A₁, ..., A_k},{(A_j, A_i), A_j ≺A A_i}).

Intuitively, a family of actions A_i is top-down if activations of its corresponding actions are only propagated down in the forest, i.e., when some process q executes action A_i(q), A_i(q) can only activate A_i at some of its children p, if any. In this case, A_i(q) writes to some variables G-read by A_i(p), these latter are usually G-read to be compared to variables written by A_i(p) itself. In other words, a variable G-read by A_i(p) can be written by A_i(q) only ifq=porq=p.parent. Hence, a family of actionsA_i is said to betop-down if for every process p and everyq.v ∈G-Read(A_i(p)), we have q.v ∈Write(A_i(q))⇒q∈ {p, p.parent}.

Intuitively, a family of actions A_i is bottom-up if activations of its corresponding actions are only propagated up in the forest, i.e. when some process q executes actionA_i(q), A_i(q) can only activate A_i at its parent p, if any. In this case, A_i(q) writes to some variables G- read byA_i(p), these latter are usually G-read to be compared to variables written by A_i(p) itself. In other words, a variable G-read by A_i(p) can be written by A_i(q) only if q = p or q ∈ p.children. Hence, a family A_i is said to be bottom-up if for every process p and every q.v∈G-Read(A_i(p)), we have q.v∈Write(A_i(q))⇒q ∈p.children∪ {p}.

A distributed algorithm A follows an acyclic strategy if it is well-formed, its graph of actions’ causality GC is acyclic, and for every A_i in its families’ partition, A_i is correct- alone and either bottom-up or top-down.

4 Move Complexity of Algorithms with Acyclic Strat- egy

In this section, we exhibit a polynomial upper bound on the move complexity of any algorithm that follows an acyclic strategy. Throughout this section, we consider a distributed algorithm A which follows an acyclic strategy and runs on the network G= (V, E). We use the same notation as in the previous section, in particular, we let A₁, ..., A_k be the families’ partition of A.

4.1 Definitions

Letp be a process and A_i, i∈ {1, ..., k} a family of actions.

We define the impacting zone of pand Ai, notedZ(p, Ai), as follows:

• Z(p, Ai) =Ancestors(p) ifAi is top-down,

• Z(p, A_i) =Descendents(p) otherwise (i.e.,A_i is bottom-up).

Remark 2. By definition, we have 1 ≤ |Z(p, A_i)| ≤ n. Moreover, if A_i is top-down, then we have 1≤ |Z(p, A_i)| ≤H+ 1≤ n, where H is the height of G, i.e., the maximum among the heights¹ of the roots of all trees of the forest

We also define the quantity M(A_i, p) as:

• the level² of p inG if A_i is top-down,

• the height of p inG otherwise (i.e.,A_i is bottom-up).

Remark 3. By definition, we have 0≤M(A_i, p)≤H, where H is the height of G.

We define

Others(A_i, p) ={q ∈p.Γ : ∃A_j, i6=j∧Write(A_j(q))∩G-Read(A_i(p))6=∅}

the set of neighbors q of pthat have actions other than A_i(q) which write variables that are G-read by A_i(p). We also note:

maxO(A_i) = max({|Others(A_i, p)| : p∈V} ∪ {maxO(A_j) : A_j ≺A A_i)})

Remark 4. By definition, we have maxO(Ai) ≤ ∆. Moreover, if ∀p ∈ V, ∀i ∈ {1, ..., k}, Others(A_i, p) is empty,i.e., no neighbor q of p writes into a variable read by A_i(p)using an action other than A_i(q), then ∀j ∈ {1, ..., k}, maxO(A_j) = 0.

4.2 Stabilization Time in Moves

Lemma 1. Let A_i be a family of actions and p be a process. For every execution e of the algorithm A on G, we have

#m(e, A_i, p)≤

n. 1 +d. 1 +maxO(A_i) H(Ai)

.|Z(p, A_i)|

where #m(e, Ai, p) is the number of times p executes Ai(p) in e, d is the in-degree of GC,³ and H(A_i) is the height of A_i in GC.⁴

Proof. Lete =γ₀, ..., γ_x, ...be any execution of A onG.

LetK(Ai, p) = M(Ai, p) + (H+ 1).H(Ai). We proceed by induction onK(Ai, p).

1The height ofpinGis 0 ifpis a leaf. Otherwise the height of pinGis equal to one plus the maximum among the heights of its children.

2The level ofpin Gis the distance from pto the root of its tree inG(0 ifpis the root itself).

3d= max{|{Aj : Aj ≺AAi}| : i∈ {1, ..., k}}.

4The height ofAi in GCis 0 if Ai is a leaf of GC. Otherwise, it is equal to one plus the maximum of the heights of theAi’s predecessorsw.r.t. ≺A.

Base Case: Assume K(A_i, p) = 0 for some family A_i and some process p. By definition, H ≥ 0, H(A_i) ≥ 0 and M(A_i, p) ≥ 0. Hence, K(A_i, p) = 0 implies that H(A_i) = 0 and M(A_i, p) = 0. Since M(A_i, p) = 0, Z(p, A_i) = {p}. So, since A_i is top-down or bottom-up, for every q.v ∈ G-Read(A_i(p)), q.v ∈ Write(A_i(q)) ⇒ q = p. Moreover, since H(A_i) = 0, ∀j 6= i, A_j 6≺A A_i. So, for every j 6= i and every q ∈ p.Γ∪ {p}, Write(A_j(p))∩G-Read(A_i(q)) =∅. Hence, no action exceptA_i(p) can modify a variable inG-Read(A_i(p)). Thus, #m(e, A_i, p)≤1 since A_i is correct-alone.

Induction Hypothesis: LetK ≥0. Assume that for every family A_j and every process q such that K(A_j, q)≤K, we have

#m(e, A_j, q)≤

n. 1 +d. 1 +maxO(A_j) H(Aj)

.|Z(q, A_j)|

Induction Step: Assume that for some family Ai and some process p, K(Ai, p) = K + 1. If #m(e, A_i, p) equals 0 or 1, then the result trivially holds. Assume now that

#m(e, A_i, p)>1 and consider two consecutive executions of A_i(p) in e,i.e., there exist x, y such that 0≤x < y,Ai(p) is executed in both γx 7→γx+1 and γy 7→γy+1, but not in stepsγ_z 7→γ_z+1 withz ∈ {x+ 1, ..., y−1}. Then, since A_i is correct-alone, at least one variable in G-Read(A_i(p)) has to be modified by an action other than A_i(p) in a step γz 7→ γz+1 with z ∈ {x, ..., y−1} so that Ai(p) becomes enabled again. Namely, there are j ∈ {1, ..., k} and q ∈V such that (a) j 6=i or q 6=p, A_j(q) is executed in a step γ_z 7→γ_z+1, and Write(A_j(q))∩G-Read(A_i(p))6=∅. Note also that, by definition, (b) q ∈ p.Γ∪ {p}. Finally, by definitions of top-down and bottom-up, (a), and (b), A_j(q) satisfies: (1)j 6=i∧q =p, (2) j =i∧q∈p.Γ∩Z(p, A_i), or (3) j 6=i∧q ∈p.Γ.

In other words, at least one of the three following cases occurs:

(1) pexecutesA_j(p)in stepγ_z 7→γ_z+1withj 6=iand Write(A_j(p))∩G-Read(A_i(p))6=

∅.

Consequently,A_j ≺A A_iand, so,H(A_j)<H(A_i). Moreover,M(A_j, p)−M(A_i, p)≤ H and H(A_j)<H(A_i) imply K(A_j, p)< K(A_i, p) =K + 1. Hence, by induction hypothesis, we have:

#m(e, A_j, p)≤

n. 1 +d. 1 +maxO(A_j) H(Aj)

.|Z(p, A_j)|

(2) There is q ∈ p.Γ ∩Z(p, A_i) such that q executes A_i(q) in step γ_z 7→ γ_z+1 and Write(A_i(q))∩G-Read(A_i(p))6=∅.

Then, M(A_i, q) < M(A_i, p). Since M(A_i, q) < M(A_i, p), K(A_i, q) < K(A_i, p) = K+ 1 and, by induction hypothesis, we have:

#m(e, A_i, q)≤

n. 1 +d. 1 +maxO(A_i) H(Ai)

.|Z(q, A_i)|

(3) A neighbor q of p executes an action A_j(q) in step γ_z 7→ γ_z+1, with j 6= i and Write(Aj(q))∩G-Read(Ai(p))6=∅.

Consequently, q ∈ Others(A_i, p) and A_j ≺_A A_i and, so, H(A_j) < H(A_i). More- over,M(A_j, q)−M(A_i, p)≤H and H(A_j)<H(A_i) implyK(A_j, q)< K(A_i, p) = K+ 1. Hence, by induction hypothesis, we have:

#m(e, A_j, q)≤

n. 1 +d. 1 +maxO(A_j) H(Aj)

.|Z(q, A_j)|

(Notice that Cases 1 and 3 can only occur when H(Ai)>0.)

We now bound the number of times each of the three above cases occur in the execution e.

Case 1: By definition, there exist at most d predecessors A_j of A_i inGC (i.e., such that A_j ≺A A_i). For each of them, we have H(A_j) < H(A_i), |Z(p, A_j)| ≤ n (by Remark 2) andmaxO(A_j)≤maxO(A_i). Hence, overall this case appears at most P

{Aj :Aj≺AAi}#m(e, A_j, p)

≤ X

{Aj :Aj≺AAi}

n. 1 +d. 1 +maxO(Aj) H(Aj)

.|Z(p, Aj)|

≤ X

{A_j : Aj≺AAi}

n. 1 +d. 1 +maxO(A_i)

H(Ai)−1

.n

≤ d

n. 1 +d. 1 +maxO(A_i)

H(Ai)−1

.n

≤ d.n^H(Ai). 1 +d. 1 +maxO(A_i)H(Ai)−1

(1) Case 2: By definition,

Z(p, A_i) ={p} ] ]

q∈p.Γ∩Z(p,A_i)

Z(q, A_i) Hence, overall this case appears at most P

q∈p.Γ∩Z(p,A_i)#m(e, A_i, q)

≤ X

q∈p.Γ∩Z(p,Ai)

n. 1 +d. 1 +maxO(A_i) H(Ai)

.|Z(q, A_i)|

≤ n^H(Ai). 1 +d. 1 +maxO(A_i)H(Ai)

. |Z(p, A_i)| −1

(2) Case 3: Again, for everyAj ≺A Ai, we haveH(Aj)<H(Ai),maxO(Aj)≤maxO(Ai), andZ(q, A_j)≤n(Remark 2). By definition, there are at most dfamiliesA_j such that A_j ≺A A_i. Finally, |Others(A_i, p)| ≤ maxO(A_i), by definition. Hence, overall this case appears at most

P

{A_j :Aj≺AAi}

P

{q∈Others(A_i,p)}#m(e, A_j, q)

≤ X

{A_j :Aj≺AAi}

X

{q∈Others(A_i,p)}

n. 1 +d. 1 +maxO(A_j) H(Aj)

.|Z(q, A_j)|

≤ X

{Aj :Aj≺AAi}

X

{q∈Others(Ai,p)}

n. 1 +d. 1 +maxO(A_i)

H(Ai)−1

.n

≤ d.maxO(A_i).n^H(Ai). 1 +d. 1 +maxO(A_i)H(Ai)−1

(3) Overall #m(e, A_i, p) is less than or equal to 1 plus the sum of (1), (2), and (3) which less than or equal to

n^H(Ai). 1 +d. 1 +maxO(A_i)H(Ai)

.|Z(p, A_i)|

Since maxO(A_i)≤∆ (Remark 4) and |Z(p, A_i)| ≤n (by Remark 2), we have Corollary 1. Every execution of A on G contains at most 1 +d.(1 + ∆)H

.k.n^H+2 moves, where k is the number of families of A, d is the in-degree of GC, and H the height of GC.

From Corollary 1 and Definition 1, follows.

Theorem 1. Let A be a distributed algorithm for a network G endowed with a spanning forest, SP a predicate over the configurations of A. If A follows an acyclic strategy and every terminal configuration of A satisfies SP, then

• A is silent and self-stabilizing for SP in G under the distributed unfair daemon, and

• its stabilization time is at most 1 +d.(1 + ∆)H

.k.n^H+2 moves,

where k is the number of families of A, d is the in-degree of GC, and H the height of GC.

5 Toy Example

In this section, we propose a simple example of algorithm, called AlgorithmT E, to show how to instantiate our results. The aim of this section is threefold: (1) show that correctness and move complexity ofT E can be easily deduced from our general results, (2) our upper bound on stabilization time in moves is tight for this example, and (3) our definition of acyclic strategy allows the design of solutions (like T E) that are inefficient in terms of rounds. We will show how to circumvent this latter negative result in Section 6.

T E assumes an constant integer input p.input ∈ N at each process. T E computes the sum of all inputs and then spreads this result everywhere in the network. T E assumes that the networkT = (V, E) is a tree (i.e., an undirected connected acyclic graph) with a sense of

direction (given by variables named parent and children) which defines a spanning in-tree rooted at process r (the unique root, i.e., the unique process satisfyingr.parent=⊥).

Apart from the inputs and the constants used to describe the topology, every process p has two variables: p.sub ∈ N (which is used to compute the sum of input values in the subtree of p) and p.res ∈ N (which stabilizes to the result of the computation, i.e., the sum of all inputs). The algorithm consists of two families of actions S and R. S computes variables suband is defined as follows.

For every process p S(p) :: p.sub6= ( X

q∈p.children

q.sub) +p.input7−→p.sub ←( X

q∈p.children

q.sub) +p.input

R computes variables res and is defined as follows.

R(r) ::r.res6=r.sub7−→r.res←r.sub For every process p6=r

R(p) ::p.res6= max(p.parent.res, p.sub)7−→p.res ←max(p.parent.res, p.sub)

Remark that S is bottom-up and correct-alone, while R is top-down and correct-alone.

Moreover, the graph of actions’ causality is simply S −→R

So, by Corollary 1 (withd= 1, H= 1 andk= 2), every execution of the algorithm contains at most (2 + ∆).n³ moves and, as a direct consequence, every execution terminates under the distributed unfair daemon. Notice also that in every terminal configuration, every processp satisfies the following properties:

(1) p.sub=p.input+P

q∈p.childrenq.sub,

(2) p.res=p.sub if p=r,p.res = max(p.parent.res, p.sub) otherwise.

Let P_input ≡ ∀p∈ V, p.res = P

q∈V q.input. By induction on the tree T, we can show that P_input holds in any terminal configuration. Hence, by Theorem 1, follows:

Lemma 2. The algorithmT E is silent and self-stabilizing for P_input in T under a distributed unfair daemon; its stabilization time is at most (2 + ∆).n³ moves.

Using Lemma 1 directly, the move complexity of T E can be further refined. Let e be any execution and H be the height of T. First, note that, maxO(S) = maxO(R) = 0, by Remark 4.

(1) Since S is bottom-up, |Z(p, S)| ≤ n, for every process p. Moreover, the height of S is 0 in the graph of actions’ causality. Hence, by Lemma 1, we have #m(e, S, p)≤n, for all processes p. Thus, e contains at most n² moves of S.

(2) Since R is top-down, |Z(p, R)| ≤ H+ 1, for every process p. Moreover, the height of R is 1 in the graph of actions’ causality. Hence, by Lemma 1, we have #m(e, R, p)≤ 2.n.(H+ 1), for all processes p. Thus, e contains at most 2.n².(H+ 1) moves ofR.

Overall, we have

Lemma 3. The stabilization time of the algorithm T E is at most n²(3 + 2H) moves, i.e., O(H.n²) moves.

5.1 Lower Bound in Moves

We now show that the stabilization time of T E is Ω(H.n²) moves, meaning that the upper bound given by Lemma 3 is asymptotically reachable. To that goal, we consider a directed line of n processes, with n ≥ 4, noted p₁, ..., p_n: p₁ is the root and for every i ∈ {2, ..., n}, there is a link between p_i−1 and p_i, moreover,p_i.parent=p_i−1 (note thatH =n). We build a possible execution of T E running on this line that contains Ω(H.n²) moves. We assume a central (unfair) daemon: at each step exactly one process executes an action. (The central daemon is a particular case of the distributed unfair daemon.)

In this execution, we fix thatp_i.input = 1, for everyi∈ {1, ..., n}. Moreover, we consider two classes of configurations: ConfigurationsX_2i+1(with 3≤2i+ 1≤n) and Configurations Y_2i+2 (with 4≤2i+ 2≤n), see Figure 1.

Configuration X_2i+1, 3≤2i+ 1≤n:

p₁ . . . p_2i−2 p_2i−1 p_2i p_2i+1 p_2i+2 p_2i+3 p_2i+4 p_2i+5 . . .

input 1 . . . 1 1 1 1 1 1 1 1 . . .

sub 2i . . . 3 2 1 0 2i 0 2i+ 2 0 . . .

res 2i . . . 2i 2i 2i 0 0 0 0 0 . . .

Configuration Y_2i+2, 4≤2i+ 2 ≤n:

p₁ . . . p2i−2 p2i−1 p_2i p_2i+1 p_2i+2 p_2i+3 p_2i+4 p_2i+5 . . .

input 1 . . . 1 1 1 1 1 1 1 1 . . .

sub 4i+ 1 . . . 2i+ 4 2i+ 3 2i+ 2 2i+ 1 2i 0 2i+ 2 0 . . . res 4i+ 1 . . . 4i+ 1 4i+ 1 4i+ 1 4i+ 1 0 0 0 0 . . .

Figure 1: Configurations X_2i+1 and Y_2i+2

The initial configuration of the execution isX₃. Then, we proceed as follows: the system converges from configurationX_2i+1to configurationY_2i+2 and then fromY_2i+2 toX_2i+3, back and forth, until reaching a terminal configuration (X_n if n is odd, Y_n otherwise).

The system converges from configuration X_2i+1 to configuration Y_2i+2, for every i ≥ 1 and 2i+ 2≤n, in Ω(i²) moves when the central daemon activates processes in the following order:

1: for j=2i+ 1 down to 1 do

2: p_j executes S(p_j) . p_j.sub= 4i+ 2−j

3: for k=j to 2i+ 1 do

4: p_k executes R(p_k) . p_k.res= 4i+ 2−j

5: done

6: done

Then, the system converges from configuration Y_2i+2 to configuration X_2i+3, for every i ≥ 1 and 2i+ 3 ≤ n in Ω(i) moves when the central daemon activates processes in the following order:

1: for j=2i+ 2 down to 1 do

2: p_j executes S(p_j) . p_j.sub= 2i+ 3−j

3: done

4: for j=1 to 2i+ 2 do

5: p_j executes R(p_j) . p_j.res= 2i+ 2

6: done

Hence, following this scheduling of actions, the execution that starts in configuration X3

converges to X_n (resp. Y_n) if n is odd (resp. even) and contains Ω(n³) moves, i.e., Ω(H.n²) since the network is a line.

Remark that in this execution, for every process p, when R(p) is activated, S(p) is disabled: this means that if the algorithm is modified so thatS(p) has local priority overR(p) for every processp(like in the method proposed in Subsection 6.2), the proposed execution is still possible keeping to a move complexity in Ω(H.n²) even for such a prioritized algorithm.

5.2 Lower Bound in Rounds

We now show that T E has a stabilization time in Ω(n) rounds in any tree of height H = 1, i.e., a star network. This negative result is mainly due to the fact that families R andS are not locally mutually exclusive. In the next section, we will propose a simple transformation to obtain a stabilization time in O(H) rounds, so O(1) rounds in the case of a star network.

We will also show that this latter transformation does not affect the move complexity.

Our proof consists in exhibiting a possible execution that terminates in n + 3 rounds assuming a central unfair daemon, that is, at each step exactly one process executes an action. Notice that the central unfair daemon is a particular case of the distributed unfair daemon.

input=1 sub=1 res=1

p1 = r

input=1 sub=0 res=1

p2

input=1 sub=0 res=1

pn

…

Figure 2: C1, initial con- figuration.

input=1 sub=i res=i

p1 = r

input=1 sub=1

res=i

p2

input=1 sub=1

res=i

pi

input=1 sub=0

res=i

pn

… ^input=1sub=0 …

res=i

pi+1

Figure 3: Ci,i∈ {2, ..., n−1}.

input=1 sub=n res=n

p1 = r

input=1 sub=1 res=n

p2

input=1 sub=1 res=n

pn

…

Figure 4: Cn, terminal configuration.

We consider a star network ofn processes (n ≥2): p₁ is the root of the tree andp₂, ..., p_n are the leaves (namely links are {{p₁, p_i}, i = 2, ..., n}). We note C_i, i ∈ {1, ..., n}, the configuration satisfying the following three conditions:

• for every j ∈ {1, ..., n}, p_j.input= 1;

• p₁.sub=i, for everyj ∈ {2, ..., i},p_j.sub= 1, and for everyj ∈ {i+1, ..., n},p_j.sub= 0;

and

• for every j ∈ {1, ..., n}, p_j.res=i.

C₁, C_i with i ∈ {2, ..., n−1}, and C_n are respectively shown in Figures 2, 3, and 4. In these figures, a variable is underlined whenever an action is enabled to modify it. Note that in configuration C_i, processes p₁, ..., p_i are disabled and processes p_i+1, ..., p_n are enabled for S. We now build a possible execution that starts from C₁ and successively converges to configurations C2, ..., Cn (Cn is a terminal configuration). To converge from Ci to Ci+1, i∈ {1, ..., n−1}, the daemon applies the following scheduling:

1: p_i+1 executes S(p_i+1) . p_i+1.sub= 1

2: p1 executes S(p1) . p1.sub=i+ 1

3: p₁ executes R(p₁) . p₁.res=i+ 1

4: for j=2 to n do

5: pj executesR(pj) . pj.res=i+ 1

6: done

For i ∈ {1, ..., n−2}, the convergence from C_i to C_i+1 lasts exactly one round. Indeed, each process executes at least one action between C_i and C_i+1 and process p_n is enabled at configuration C_i and remains continuously enabled until being activated as the last process to execute in the round. The convergence from C_n−1 toC_n lasts four rounds: in C_n−1, only p_n is enabled to execute S(p_n) hence the round terminates in one step where only S(p_n) is executed. Similarly, p₁ then sequentially executes S(p₁) and R(p₁) in two rounds. Finally, p₂, ..., p_n execute R in one round and then the system is in the terminal configuration C_n.

Hence the above execution lasts n+ 3 rounds.

6 Round Complexity of Algorithms with Acyclic Strat- egy

In this section, we first propose an extra sufficient condition for any algorithm following an acyclic strategy to stabilize inO(H) rounds. We then propose a simple method to add this property to any algorithm that follows an acyclic strategy, without compromising the move complexity.

6.1 A Condition for a Stabilization Time in O(H ) rounds

Let A1, ..., Ak be the families’ partition of A. We say that two families Ai and Aj are locally mutually exclusiveif for every processp, there is no configurationγ where bothA_i(p) and A_j(p) are enabled. By extension, we say A is locally mutually exclusive if for every i, j ∈ {1, ..., k}, i6=j implies that Ai and Aj are locally mutually exclusive.

Theorem 2. Let A be a distributed algorithm for a network G endowed with a spanning forest. If Afollows an acyclic strategy and is locally mutually exclusive, then every execution of A reaches a terminal configuration within at most (H+ 1).(H+ 1) rounds, where H the height of the graph of actions’ causality GC of A and H is the height of the spanning forest in G.

Proof. LetAi be a family of actions ofAandpbe a process. We noteR(Ai, p) =H(Ai).(H+ 1) +M(A_i, p) + 1 (recall that H(A_i) andM(A_i, p) are defined in Section 4).

We now show by induction that for every family A_i and every process p, after R(A_i, p) rounds Ai(p) is disabled forever.

Letpbe a process andA_i be a family. By definition,H(A_i)≥0,H≥0, andM(A_i, p)≥0, hence R(A_i, p)≥1.

Base Case: Assume that R(A_i, p) = 1. By definition, M(A_i, p) = 0 and H(A_i) = 0. Since M(A_i, p) = 0, Z(p, A_i) = {p}. So, since A_i is top-down or bottom-up, for every q.v∈G-Read(A_i(p)), q.v∈Write(A_i(q))⇒q=p. Moreover, since H(A_i) = 0, ∀j 6=i, A_j 6≺_AA_i. So, for everyj 6=iand everyq ∈p.Γ∪ {p},Write(A_j(p))∩G-Read(A_i(q)) =

∅. Hence, no action exceptA_i(p) can modify a variable inG-Read(A_i(p)). Thus, ifA_i(p) is (initially) disabled, then A_i(p) is disabled forever. Otherwise, A_i(p) is continuously enabled until being executed; and, within at most one round, A_i(p) is executed since A is locally mutually exclusive. After this first execution of A_i(p), A_i(p) is disabled forever since A_i is correct-alone.

Induction Hypothesis: Let R≥1. Assume that for every family A_j and every process q such that R(Aj, q)≤R, after R(Aj, q) rounds, R(Aj, q) is disabled forever.

Induction Step: Assume that for some family A_i and some process p, R(A_i, p) = R+ 1.

SinceA_i is either bottom-up or top-down and by definition of≺A, we can deduce that for every familyA_j, everyq ∈p.Γ∪ {p}, and everyq.v ∈Write(A_j(q))∩G-Read(A_i(p)) one of the following four conditions hold:

(1) j =i∧q =p.

(2) j = i∧q ∈ p.Γ ∩Z(p, A_i). In this case, M(A_i, q) < M(A_i, p), so R(A_i, q) <

R(A_i, p) =R+ 1.

(3) j 6=i∧q =p∧Aj ≺A Ai. In this case, Aj ≺A Ai implies that H(Aj)<H(Ai), so R(A_j, q) =R(A_j, p)< R(A_i, p) =R+ 1.

(4) j 6=i∧q ∈ p.Γ∧A_j ≺A A_i. In this case, A_j ≺A A_i implies that H(A_j)<H(A_i).

Moreover,M(Aj, q)−M(Ai, p)≤H. So, R(Aj, q)< R(Ai, p) = R+ 1.

Thus, by induction hypothesis, afterRrounds, all variables ofG-Read(A_i(p)) satisfying Cases (2), (3), or (4) are constant forever, i.e. all variables of G-Read(Ai(p)), except maybe those written by A_i(p) itself (Case (1)), are constant forever. So, if after R rounds,A_i(p) is disabled, then it is disabled forever. Otherwise, after R rounds,A_i(p) is continuously enabled until being executed; and, within at most one additional round, A_i(p) is executed since A is locally mutually exclusive. After the execution of A_i(p), A_i(p) is disabled forever since A_i is correct-alone. Hence, after R+ 1 rounds, A_i(p) is disabled forever, and we are done.

Since for every family A_i and every process p, H(A_i) ≤ H and M(A_i, p) ≤ H, we have R(A_i, p)≤(H+ 1).(H+ 1), hence the lemma holds.

From Theorem 2 and Definition 1, follows.

Corollary 2. Let A be a distributed algorithm for a network G endowed with a spanning forest and SP a predicate over the configurations of A. If A follows an acyclic strategy, is locally mutually exclusive, and every terminal configuration of A satisfies SP, then

• A is silent and self-stabilizing for SP in G under the distributed unfair daemon, and

• its stabilization time is at most (H+ 1).(H+ 1) rounds,

where H the height of the graph of actions’ causality GC of A and H is the height of the spanning forest in G.

By definition, H < k, the bound exhibited by the previous lemma is in O(k.H) where k is the number of families of the algorithm. Actually, the local mutual exclusion of the algorithm is usually implemented by enforcing priorities on families as in the transformer presented below. Hence, in practical cases, H=k−1, as shown in Lemma 8.

6.2 A Transformer

We have shown in Subsection 5.2 that there are algorithms that follow an acyclic strategy but are not locally mutually exclusive which stabilize in Ω(n) rounds in the worst case. So, we formalize now a generic method to give the mutually exclusive property to such algorithms, allowing then to obtain a complexity in O(H) rounds. Notice that the method does not degrade the move complexity.

LetAbe any distributed algorithm for a networkGendowed with a spanning forest that follows an acyclic strategy. Letk be the number of families ofA. In the following, for every process p and every family A_i, we identify the guard and the statement of Action A_i(p) by G_i(p) andS_i(p), respectively.

Let/A be any strict total order on families of A compatible with≺A, i.e.,/A is a binary relation on families of A that satisfies the following three conditions:

Strict Order: /A is irreflexive and transitive;⁵

Total: for every two families Ai, Aj, we have either Ai/AAj,Aj/AAi, or i=j; and Compatibility: for every two families A_i, A_j, if A_i ≺A A_j, then A_i/AA_j.

LetT(A) be the following algorithm:

• T(A) and A have the same set of variables.

5Notice that irreflexivity and transitivity implies asymmetry.

• Every process p∈V holds the following k actions. For every i∈ {1, ..., k}, A^T_i(p) :: G^T_i(p) 7−→ S_i^T(p)

where G^T_i(p) = V

Aj/AAi¬G_j(p)

∧G_i(p) and S_i^T(p) = S_i(p).

G_i(p) (resp. the set {G_j(p) : A_j /A A_i}) is called the positive part (resp. negative part) of G^T_i(p).

Notice that, by definition,≺Ais irreflexive and the graph of actions’ causality induced by≺A

is acyclic. Hence, there always exists a strict total order compatible with≺A,i.e., the above transformation is always possible for any algorithmA which follows an acyclic strategy.

Remark 5. T(A) is well-formed and A^T₁, ..., A^T_k is the families’ partition of T(A), where A^T_i ={A^T_i(p) : p∈V}, for every i∈ {1, ..., k}.

By construction, we have :

Remark 6. For every i, j ∈ {1, ..., k} such that i6=j, and every process p, the positive part of G^T_j(p) belongs to the negative part in G^T_i(p) if and only if A_j /AA_i.

Lemma 4. T(A) is locally mutually exclusive.

Proof. Let A^T_i and A^T_j be two different families of T(A). Then, either A_i /A A_j or A_j /AA_i (/A is a strict total order). Without the loss of generality, assume A_i /AA_j. Let p be any process and γ be any configuration. The positive part of G^T_i(p) belongs to the negative part of G^T_j(p) (see Remark 6), and consequently, A^T_i(p) and A^T_j(p) cannot be both enabled in γ.

Hence, A^T_i and A^T_j are locally mutually exclusive, which in turns implies that T(A) is locally mutually exclusive.

Lemma 5. For every i, j ∈ {1, ..., k}, if A^T_j ≺T(A) A^T_i, then A_j/AA_i.

Proof. Let A^T_i and A^T_j be two families such that A^T_j ≺_T(A) A^T_i. Then, i 6= j and there exist two processes p and q such that q ∈ p.Γ∪ {p} and Write(A^T_j(p))∩G-Read(A^T_i(q)) 6=

∅. Then, Write(A^T_j(p)) = Write(Aj(p)), and either Write(Aj(p))∩G-Read(Ai(q)) 6= ∅, or Write(A_j(p))∩G-Read(A_k(q)) 6= ∅ where G_k(q) belongs to the negative part of G^T_i(q). In the former case, we haveA_j ≺A A_i, which implies thatA_j/AA_i (/A is compatible with≺A).

In the latter case, Aj ≺A Ak (by definition) and Ak/AAi (by Remark 6). Since, Aj ≺A Ak

implies A_j /AA_k (/A is compatible with ≺A), by transitivity we have A_j /AA_i. Hence, for every i, j ∈ {1, ..., k}, A^T_j ≺T(A)A^T_i implies A_j /AA_i, and we are done.

Lemma 6. T(A) follows an acyclic strategy.

Proof. LetA^T_i be a family ofT(A). The lemma is immediate from the following three claims.

Claim I: A^T_i is correct-alone.

Proof of the claim: Since A follows an acyclic strategy, A_i is correct-alone. Moreover, for every process p, we have S_i^T(p) = S_i(p) and ¬G_i(p) ⇒ ¬G^T_i(p). Hence, A^T_i is also correct-alone.